Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 06:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe
-
Size
486KB
-
MD5
e008f6de1c33acafea60d513c90cc527
-
SHA1
08cee0c7e1103cc7a69d857b76e1bd37b6e2454f
-
SHA256
2b4b67331f91dfe4516336b5ca5868cb774e359d4647abad88131eb9c30fa0b3
-
SHA512
eed6b8c5950379bfb554033502bd92ec384d10822b7b1e493a1bab133e7a21218de068267f7b1f4f0b8d4c6e90642a1e12331ac37560e897e6a8513a7b7e022e
-
SSDEEP
6144:fpzhInoFPRsVmVE600C978/1ZkycpBQEJIbxWeow9b51YIJNpltL33fOcMsHpeUg:frF2600C977x5w9b51tJTltr32c1JeUg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2672 6D34.tmp -
Loads dropped DLL 1 IoCs
pid Process 1352 2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2508 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2672 6D34.tmp -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2508 WINWORD.EXE 2508 WINWORD.EXE 2508 WINWORD.EXE 2508 WINWORD.EXE 2508 WINWORD.EXE 2508 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1352 wrote to memory of 2672 1352 2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 28 PID 1352 wrote to memory of 2672 1352 2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 28 PID 1352 wrote to memory of 2672 1352 2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 28 PID 1352 wrote to memory of 2672 1352 2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 28 PID 2672 wrote to memory of 2508 2672 6D34.tmp 29 PID 2672 wrote to memory of 2508 2672 6D34.tmp 29 PID 2672 wrote to memory of 2508 2672 6D34.tmp 29 PID 2672 wrote to memory of 2508 2672 6D34.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\6D34.tmp"C:\Users\Admin\AppData\Local\Temp\6D34.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.exe 7DFF95DC9C4E05D9AF941A9DB7EC3B9347EEF107F7AB9BB6FCF1C2599FCF20B79C7DAB53B950B07460B48E9A93C84CC390874EEB494D315BBC6547879CAD7CAA2⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-01-08_e008f6de1c33acafea60d513c90cc527_mafia.docx"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5e90e498009a13ae957dcde4e01065e7d
SHA1dcb4cc9b7d1ed3becc625597422d60aaf068a759
SHA256ca91bbd477e2a516997c48dde3da1a5eae4cad86ca664fea54f0103739073c94
SHA5124d0868f653e6c57d4011430ab81688f4f039550a9a0b5b1ce5ab1a695cb1dca7d7cdfb1d7c3920c35bbd3a8b441c820f00ae4e71f749650545ddd6894d597766
-
Filesize
466KB
MD538491e7be832c43247cd1ada986bb9c1
SHA183695a3d816c75e2a0ee088bfb44cff09e05cbab
SHA256ddf8a9cd8860c746d1ca524db3af89008f2ab9f3dd0944889f7112a5488ddc35
SHA512367c764577a41f63b75be1118ccf1ce98e10853885cee76733a9f7198fae5ff1bfb977fa1b91b4f435e4db6e89bbaf79ca05a70ed04db7862f87fe42e5b43ec8
-
Filesize
381KB
MD56b676b226d978dfb0dc6b83a8537f9ad
SHA133bd16c47514b4133e74d6220f91d295d395d721
SHA25613c585b986af00bb9e2d0cd1cbf1f0c87dbb9ae49918af43cbe9a0836989a4c0
SHA512a936f626c885bd64fc9b769ee56e4c46b081fbb160f8002608c0b3258cba9311051f0bea5ba5634c32949a2653d8c03e26d3850ee5e3d4100e0672050fe2a7cb